If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.

tl;dr

A short post with code examples that show how to use TLPv2 with STIX 2.1.

Overview

TLP version 2.0 is the current version of TLP standardized by FIRST. It is authoritative from August 2022 onwards

Source: FIRST

Despite superseding TLPv1 over one year ago, as mentioned in my post, A Quick Start Guide to Generate Threat Intelligence Using the STIX2 Python Library; the STIX2 Python library does not yet support TLPv2.

However, v2 objects do exist.

Here is a quick example of how to user them;

Preparation

You need to install the Python STIX2 library. This post describes how.

TLPv2 Marking Definition STIX IDs

For reference;

  • TLP:CLEAR: marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
  • TLP:GREEN: marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
  • TLP:AMBER: marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
  • TLP:AMBER+STRICT: marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
  • TLP:RED: marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1

Now all that’s needed is to add the TLPv2 STIX ID to the object_marking_refs property.

A TLP:CLEAR example

For example, to mark an object as TLP:CLEAR:

# python3 generate_sdo_tlpv2_clear.py
## Start by importing all the things you will need
### https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.sdo.html#stix2.v21.sdo.AttackPattern
### https://stix2.readthedocs.io/en/latest/api/stix2.v21.html?highlight=tlp#stix2.v21.TLPMarking

from stix2 import AttackPattern, TLP_GREEN

## Create AttackPattern SDO using the files 

AttackPatternDemo = AttackPattern(
    created_by_ref="identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
    name="Spear Phishing",
    description="Used for tutorial content",
    created="2020-01-01T00:00:00.000000Z",
    modified="2020-01-01T00:00:00.000000Z",
    object_marking_refs=[
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
    ]
)

## Print all the objects to the command line

print(AttackPatternDemo.serialize(pretty=True))

Running the script prints;

{
    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--6b6a61df-44dd-4c3a-81aa-ac57a786ff47",
    "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
    "created": "2020-01-01T00:00:00.000000Z",
    "modified": "2020-01-01T00:00:00.000000Z",
    "name": "Spear Phishing",
    "description": "Used for tutorial content",
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
    ]
}

Obstracts

The RSS reader for threat intelligence teams. Turn any blog into machine readable STIX 2.1 data ready for use with your security stack.

Obstracts. The RSS reader for threat intelligence teams.

Stixify

Your automated threat intelligence analyst. Extract machine readable STIX 2.1 data ready for use with your security stack.

Stixify. Your automated threat intelligence analyst.

Discuss this post

Head on over to the DOGESEC community to discuss this post.

DOGESEC community

Posted by:

David Greenwood

David Greenwood, Do Only Good Everyday



Never miss an update


Sign up to receive new articles in your inbox as they published.

Your subscription could not be saved. Please try again.
Your subscription has been successful.